How to Use Your Cat to Hack Your Neighbor's Wi-Fi

Share

How to Use Your Cat to Hack Your Neighbor's Wi-Fi

Coco, modeling the WarKitteh collar.

Gene Bransfield

Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors' Wi-Fi networks, identifying four routers that used an old, easily-broken form of encryption and another four that were left entirely unprotected.

Unbeknownst to Coco, he'd been fitted with a collar created by Nancy's granddaughter's husband, security researcher Gene Bransfield. And Bransfield had built into that collar a Spark Core chip loaded with his custom-coded firmware, a Wi-Fi card, a tiny GPS module and a battery—everything necessary to map all the networks in the neighborhood that would be vulnerable to any intruder or Wi-Fi mooch with, at most, some simple crypto-cracking tools.

In the 1980s, hackers used a technique called "wardialing," cycling through numbers with their modems to find unprotected computers far across the internet. The advent of Wi-Fi brought "wardriving," putting an antenna in a car and cruising a city to suss out weak and unprotected Wi-Fi networks. This weekend at the DefCon hacker conference in Las Vegas, Bransfield will debut the next logical step: The "WarKitteh" collar, a device he built for less than $100 that turns any outdoor cat into a Wifi-sniffing hacker accomplice.

Skitzy the cat.

Gene Bransfield

Despite the title of his DefCon talk—"How To Weaponize Your Pets"–Bransfield admits WarKitteh doesn't represent a substantial security threat. Rather, it's the sort of goofy hack designed to entertain the con's hacker audience. Still, he was surprised by just how many networks tracked by his data-collecting cat used WEP, a form of wireless encryption known for more than ten years to be easily broken. "My intent was not to show people where to get free Wi-Fi. I put some technology on a cat and let it roam around because the idea amused me," says Bransfield, who works for the security consultancy Tenacity. "But the result of this cat research was that there were a lot more open and WEP-encrypted hot spots out there than there should be in 2014."

In his DefCon talk, Bransfield plans to explain how anyone can replicate the WarKitteh collar to create their own Wifi-spying cat, a feat that's only become easier in the past months as the collar's Spark Core chip has become easier to program. Bransfield came up with the idea of feline-powered Wi-Fi reconnaissance when someone attending one of his security briefings showed him a GPS collar designed to let people locate their pets by sending a text message. "All it needed was a Wi-Fi sniffer," he says. "I thought the idea was hilarious, and I decided to make it."

His first experiment involved hiding an HTC Wildfire smartphone in the pocket of a dog jacket worn by his coworker's tabby, Skitzy. Skitzy quickly managed to worm out of the jacket, however, losing Bransfield's gear. "It was a disaster," he says. "That cat still owes me a phone."

The WarKitteh collar with its components and wiring removed, with a dollar bill for scale.

Gene Bransfield

Bransfield spent the next months painstakingly creating the WarKitteh, using Spark's Arduino-compatible open source hardware and enlisting Nancy to sew it into a strip of cloth. When he finally tested it on Skitzy, however, he was disappointed to find the cat spent the device's entire battery life sitting on his coworker's front porch.

Coco turned out to be a better spy. Over three hours, he revealed 23 Wi-Fi hotspots, more than a third of which were open to snoops or used crackable WEP instead of the more modern WPA encryption. Bransfield mapped those networks in a program created by an Internet collaborator that uses Google Earth's API, shown in a video below. The number of vulnerable access points surprised Bransfield; He says that several of the WEP connections were Verizon FiOS routers left with their default settings unchanged.

Though he admits his cat stunt was mostly intended to entertain himself, he hopes it might make more users aware of privacy lessons those in the security community have long taken for granted. “Cats are more interesting to people than information security,” Bransfield says. “If people realize that a cat can pick up on their open Wi-Fi hotspot, maybe that’s a good thing.”